Tue May 01, 2012 5:29 pm
Been there!
So first is for you to truly evaluate if he would do something, secondly for what reason (to gain what). Essentially paranoia can cause alot of wasted time. Next, did you have him sign anything either during employment or termination that stated that information gained by employment is not to be used for any other reason, and the understood consequences?
Now to the root of your question. Your looking for a needle in a haystack, so you need to narrow it down as to which customers of yours he would most likely target? Which core devices on your infrastructure might he want to compromise? Change the passwords on all of your infrastructure in the least. Then I would take a look at those most likely devices, and run torch for awhile to see if you can see anything out of the ordinary. You can also do the same on one of your core devices, preferably during non-peak hours to help limit the traffic you are seeing. You can filter out dns,http,https,pop3,smtp,imap, etc from your torches, this will help.
There are so many different ways to configure a routerboard to do the same things, that unfortunately theres not much that you can just go look for in specific. Obviously you will look at the firewall to see if there are some redirects, port forwards, interface mirroring, etc.
If you are really adimit and worried about your CPE's, it wouldnt take to terribly long to log into each cpe and export a config file. Then using the milliscript program found on this forum, compare a known good cpes configs to each config on your network. This will quickly point out config differences.
I hope this helps and good luck!